. .

Recent News

The Compensating Controls & Exceptions Form is up

Here are the Compensating Controls & Exception process submision forms for the UCSS.

GeoTrust SSL Certificate Purchasing Explained

Instructions on how to order SSL Certificates through GeoTrust can be found on this page

Security Boot Camp outline up for comment

The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here

Check the Blackhole List

To see the current Blackhole listing click here

Report an Incident

To report a security breach or other security incident send an email to Security@osu.edu

SQL Injection Attacks

SQL injection is a particularly widespread and dangerous form of injection. To exploit an SQL injection flaw, the attacker must find a parameter that the web application passes through to a database. By carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to the database. These attacks are not difficult to attempt and more tools are emerging that scan for these flaws. The consequences are particularly damaging, as an attacker can obtain, corrupt, or destroy database contents.

Injection attacks can be very easy to discover and exploit, but they can also be extremely obscure. The consequences can also run the entire range of severity, from trivial to complete system compromise or destruction. In any case, the use of external calls is quite widespread, so the likelihood of a web application having an SQL injection flaw should be considered high.

Data sensitivity issues regarding SQL injection can be alleviated by carefully deciding where and when sensitive data such as social security numbers and names are stored. If an application does not absolutely require certain data, do not include that data in a database that is also used or accessible by a web application.

Web Application Scanning

Currently, SQL injection vulnerabilities are our primary area of focus for scanning. We offer web application scanning with a product called Appscan. Appscan is able to scan for sql injections and other common web problems.

Contact us at security@osu.edu and we can arrange to scan your site and discuss the result with you.

External Resources

The OWASP general discussion of injection flaws, including SQL injection.
Specific discussions and examples of SQL injection flaws in code.
This paper has good descriptions of sql injection flaws, solutions, and actual attacks.

Language Specific Remediation Documents

Identifying and preventing SQL injections with PHP.
Using parameterized queries in ASP.Net to prevent SQL injection.
Using parameterized queries with ADO (classic ASP).
Identifying and fixing SQL injection problems with ColdFusion

Some of the content for this page used directly from: http://www.owasp.org/index.php/Injection_Flaws